How IOSCO I-SCAN Is Your Best Friend to Avoid Scams

If you are trying to avoid forex scams, clone brokers, fake investment platforms, or “wealth managers” that appeared out of nowhere, the hard part is usually not finding a good story. The hard part is finding a trustworthy negative signal before your money leaves your account.

That is where IOSCO’s International Securities & Commodities Alerts Network, or I-SCAN, is unusually useful. IOSCO launched it in 2025 as a centralized hub that brings together alerts from regulators around the world about firms or investments reported as unlicensed or as scams. IOSCO said at launch that financial regulators would submit alerts directly to I-SCAN, making them available to users worldwide, and described the hub as part of its retail-investor online safety work.

The timing matters. IOSCO launched I-SCAN against a backdrop of growing online investment fraud, and its launch release says “billions” are being lost every year because of fraudulent activity or misleading statements.

For ordinary traders and investors, that makes I-SCAN valuable for one simple reason. It lets you check whether a name, website, app, social-media page, or supposed broker has already triggered a warning somewhere else. You no longer have to rely only on the regulator in your own country, or on your own ability to guess whether a site “looks fake.”

That does not make I-SCAN a magic shield. It does make it one of the better first stops before funding a broker, following a signal group, or trusting a financial promotion you found online.

What IOSCO I-SCAN actually is, and what it is not

At a basic level, I-SCAN is a searchable IOSCO portal for regulatory alerts and warnings. The page states that IOSCO receives alerts and warnings from its members about firms that are not authorized to provide investment services in the jurisdiction that issued the alert or warning. It also notes that some warnings concern unauthorized firms using names similar to authorized firms or falsely claiming to be associated with authorized firms.

That wording is important because it tells you what kind of problem I-SCAN is designed to catch. It is particularly useful for clone firms, fake brokers, fraudulent “investment schools,” bogus websites, and other entities that have already crossed a line serious enough for a regulator to publish an alert. The live portal shows exactly that kind of material, including websites, Instagram pages, Facebook pages, apps, and fake financial brands flagged by regulators such as the FCA, the Dutch AFM, the Thai SEC, the Hong Kong SFC, and the Bahamas’ Securities Commission.

It is also important to understand what I-SCAN is not. IOSCO states clearly that the alerts and warnings are provided by IOSCO members on a voluntary basis, that the contents are the responsibility of the issuing member, and that the list is not complete. In other words, I-SCAN is a strong screening tool, not a complete global blacklist of every scam in existence.

That distinction matters in practice. If a name appears in I-SCAN, that is a serious warning sign. If a name does not appear, that does not prove it is safe. The portal itself says as much by explaining that it is not a complete list of all alerts and warnings from all IOSCO members.

So the right mindset is to use I-SCAN as a high-value check, not as your only check.

Why it is so useful against scams in practice

Most scam prevention fails for a simple reason: people verify the sales story instead of the underlying entity.

A fake broker can have a convincing website. A scam signal group can have screenshots, testimonials, and a polished Telegram channel. A cloned firm can display a real address, a real-looking registration number, and a plausible compliance page. What most victims lack is a centralized way to ask a harder question: has any real securities regulator already warned about this name, website, or operation somewhere in the world. I-SCAN helps answer exactly that question.

The structure of the portal makes it practical, not merely interesting. The live page includes search, filtering by regulator, CSV export, and a large database of results. The sample view available on the portal showed over 41,000 results and listed warnings linked to websites, social-media pages, apps, and fake broker-style brands.

That breadth matters because modern scams are not limited to fake corporate websites. They now operate through Instagram pages, app-store links, Facebook profiles, cloned domains, and pseudo-academies. The portal’s own examples reflect that change. You are not just checking for “ABC Broker Ltd.” You may be checking a WhatsApp-linked website, a supposed AI trading hub, or a fake investment school.

There is another practical advantage. I-SCAN can surface warnings from outside your home market. A scammer may target you from another jurisdiction, use a foreign domain, or borrow the identity of a firm regulated elsewhere. A domestic-only search can miss that. IOSCO built I-SCAN precisely to create “one place” where firms or investments reported as unlicensed or as scams can be identified across borders.

That makes it especially useful for forex and online trading, where scams are often international by design.

How regulators feed alerts into it

The reporting model behind I-SCAN is fairly simple, but it matters.

IOSCO’s launch release says that financial regulators submit alerts directly to I-SCAN. The portal page then adds the more precise qualification that the alerts and warnings included in the list are provided by IOSCO members on a voluntary basis. IOSCO also says the contents remain the responsibility of the regulator that issued the alert or warning.

That means I-SCAN is not inventing or independently investigating the underlying warning in each case. It is aggregating warnings produced by participating regulators and making them easier to search globally. The logic is similar to a shared warning network: the primary regulator issues the alert, and I-SCAN makes it visible beyond that regulator’s own website.

The voluntary nature of reporting is worth stressing because it sets realistic expectations. Some IOSCO members clearly appear in the I-SCAN filter and results. Others may be IOSCO members but may not yet have visible alerts in the portal, or may not contribute in the same way or at the same frequency. The portal itself reflects this by saying the list is not complete and that alerts are provided on a voluntary basis.

This is not a weakness so much as a reminder that I-SCAN is a live network, not a finished registry. The more regulators contribute, the more useful it becomes. IOSCO’s own language at launch described it as a centralized hub drawing alerts from over 150 regulators worldwide, which shows the ambition even if participation and alert flow will vary across jurisdictions.

So when you use I-SCAN, think of it as a shared regulator-to-public signal layer rather than as a single global police database.

The FCA, CMA Kenya, and other regulators in the IOSCO network

The UK’s Financial Conduct Authority is the easiest example to explain because its warnings are clearly visible in the I-SCAN ecosystem and because the FCA already runs its own strong domestic warning infrastructure. The FCA’s Warning List says it contains firms and individuals the FCA is concerned are operating without permission in the UK, and it adds an important caution: if a firm is not on the list, it may still be unauthorized or a scam. The FCA also directs users to its Firm Checker for authorization checks.

That aligns neatly with how I-SCAN works. In the I-SCAN portal’s visible results, the FCA appears as a regulator source, and one sample result shown on the live page was “AI Trading Hub,” marked under “United Kingdom – Financial Conduct Authority.”

Kenya’s Capital Markets Authority sits in a slightly different position in the evidence available. CMA Kenya is clearly an IOSCO ordinary member, and IOSCO’s membership page lists Kenya’s Capital Markets Authority among IOSCO members. IOSCO’s EMMoU signatories page also shows CMA Kenya as an Appendix A.1 signatory dated May 14, 2025, which confirms active participation in IOSCO’s enhanced multilateral information-sharing framework.

Kenya’s CMA also maintains its own official licensee portal, where investors can search approved institutions and licensed market players, including CMA regulated dealing and non-dealing online forex brokers, money managers, investment banks, and other categories. It also runs an eCitizen services portal that includes complaints handling.

What I could verify directly is that CMA Kenya is inside IOSCO as a member and EMMoU signatory. What I could not verify from the current I-SCAN filter view is that CMA Kenya warnings are presently visible as a contributing source inside the live I-SCAN results page. The visible regulator filter in the portal includes many authorities, such as the FCA, AFM, SFC, ASIC’s peers, the U.S. SEC and CFTC, but Kenya did not appear in the specific filter list returned by the page snapshot I checked.

That is worth saying plainly because the distinction matters. FCA reporting into the practical I-SCAN flow is easy to see. CMA Kenya is clearly part of IOSCO’s broader regulatory network, but I cannot honestly say from the evidence I checked that CMA’s own warnings are currently appearing in I-SCAN results.

Among other regulators, the portal clearly shows contributions or visible filter presence from authorities such as the Dutch AFM, the Thai SEC, the Hong Kong SFC, the Bahamas’ Securities Commission, the Swiss FINMA, and U.S. agencies including the SEC and CFTC.

How to use I-SCAN properly before you send money

The strongest use of I-SCAN is not after something feels wrong. It is before you fund anything.

Start with the commercial name, website, app name, or social-media identity you were given. Search the exact name first. Then search variations, especially if the entity uses multiple words, hyphens, or generic branding. Clone firms and fake platforms often mutate small details. That is precisely why IOSCO says some warnings involve unauthorized firms using names similar to authorized firms or falsely claiming association with authorized firms.

Next, search the URL itself, not only the brand. The I-SCAN page visibly includes results for direct domains and even social-media or app links, which is useful because many scams now hide behind websites or profiles rather than legal company names.

Then filter by regulator if the firm claims a home jurisdiction. If the broker says it is UK-regulated, you should search I-SCAN and then cross-check the FCA’s own Warning List and Firm Checker. If the firm says it is licensed in Kenya, you should cross-check the CMA licensee portal directly even if I-SCAN shows nothing. That is the right way to combine a global alert hub with the source regulator’s own registry.

The sequencing matters. I-SCAN should be your fast international warning check. The home regulator’s authorization register should be your legal-status check. Those are not the same thing.

One more practical point: use I-SCAN even when the promotion seems minor. It is just as useful for a “trading academy,” a signal group, or an app pitched on Instagram as it is for a broker. The portal’s current examples show why: warnings cover websites, apps, Instagram pages, and fake educational brands, not only formal brokers.

What I-SCAN will not do for you

I-SCAN is strong, but it has limits, and those limits are visible in IOSCO’s own wording.

It is not a complete repository of every warning issued by every regulator. IOSCO states this directly. The portal says the alerts are provided by IOSCO members on a voluntary basis and that the list is not complete.

It is also not a substitute for checking whether a firm is actually licensed. A warning database and an authorization database are different tools. The FCA itself says that even if a firm is not on the Warning List, it may still be unauthorized or a scam, which is why it directs users to the Firm Checker as well.

I-SCAN also cannot tell you whether a firm with a real license is suitable, honest in marketing, or financially healthy. It can tell you that a regulator has warned about something. It cannot do your entire due-diligence process for you.

That is not a criticism. It is simply the correct way to use it. Think of I-SCAN as a cross-border fraud-warning amplifier, not as a one-stop due-diligence engine.

Building a verification routine around I-SCAN

The strongest anti-scam routine is layered.

First, run the name, URL, app, or social handle through I-SCAN. Because IOSCO designed it as a centralized hub of regulator alerts, it is one of the fastest ways to see whether the thing in front of you has already triggered concern somewhere else.

Second, go to the source regulator. For UK firms, that means the FCA’s own tools, especially the Warning List and Firm Checker. For Kenya, that means the CMA licensee portal and, where relevant, the CMA complaints and services infrastructure.

Third, compare names, domains, and contact details carefully. A real firm name paired with the wrong URL or the wrong phone number is one of the oldest clone-firm tricks, and both IOSCO and the FCA warn about this pattern.

Fourth, assume absence of evidence is not evidence of safety. I-SCAN itself says the list is incomplete. The FCA says the same thing about its own Warning List.

A routine like that is boring, which is exactly why it works. Scammers depend on speed, mood, and trust in presentation. I-SCAN helps replace that with a process.

Final view

IOSCO I-SCAN is not literally your only friend against scams, but it is one of the best first friends to have.

Its value is straightforward. It gives you a single searchable place to check whether a regulator somewhere in the IOSCO network has already warned about a firm, domain, app, or fake investment brand. IOSCO built it to make those warnings easier to find across borders, and the live portal already shows why that matters.

Use it early, not late. Pair it with the home regulator’s own register. Use the FCA’s tools for UK claims, and use CMA Kenya’s own licensee and complaint portals for Kenyan claims. Just be clear about one point: some regulators, like the FCA, are visibly feeding warnings into I-SCAN now, while for others, such as CMA Kenya, I could verify IOSCO membership and cooperation status but not current visible I-SCAN alert entries from the portal snapshot I checked.

That is still enough to make I-SCAN worth using every time. In scam prevention, boring verification usually beats instinct.